Release notes for update package 1882-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:     Thursday May 22, 2025
MD5 CHECKSUM:     03e7aa2b1c68a98ed531c300bfe3a077
SHA1 CHECKSUM:     61d4063ca4b6e9bf52ce21e652e5d015da13a498
SHA256 CHECKSUM:     60a39bf14fe370eb83d3b32ee55e5ea99f3a8ffa7d11b5e08dbf3f595f23bf3e


UPDATE CRITICALITY:    HIGH

List of detected attacks in this update package:

Risk level Description Reference Vulnerability
High     An attempt to exploit a vulnerability in Gladinet CentreStack detected     CVE-2025-30406     Gladinet-CentreStack-MachineKey-Hard-Coded-Credentials-CVE-2025-30406
High     An attempt to exploit a vulnerability in Online Car Rental System detected     CVE-2024-57487     Car-Rental-System-1.0-File-Upload-RCE-CVE-2024-57487
High     An attempt to exploit a vulnerability in OpenEMR Development Team OpenEMR detected     CVE-2024-22611     Openemr-Pharmacy-SQL-Injection-CVE-2024-22611
High     An attempt to exploit a vulnerability in Kamailio detected     CVE-2018-14767     Kamailio-SIP-To-Header-Out-Of-Bounds-Read-CVE-2018-14767
High     An attempt to exploit a vulnerability in Spring Data REST detected     CVE-2017-8046     Spring-Data-REST-Remote-Code-Execution-CVE-2017-8046
Low     An attempt to exploit a vulnerability in Moxa MXview detected     CVE-2017-7455     Moxa-MXview-Private-Key-Disclosure-CVE-2017-7455

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Openemr-Pharmacy-SQL-Injection-CVE-2024-22611 CVE-2024-22611 HTTP_CS-Openemr-Pharmacy-SQL-Injection-CVE-2024-22611 Suspected Compromise
High Spring-Data-REST-Remote-Code-Execution-CVE-2017-8046 CVE-2017-8046 HTTP_CS-Spring-Data-REST-Remote-Code-Execution-CVE-2017-8046 Suspected Compromise

HTTP Request URI

Risk Vulnerability/Situation References Related Fingerprint Situation Type
Low Moxa-MXview-Private-Key-Disclosure-CVE-2017-7455 CVE-2017-7455 HTTP_CSU-Moxa-MXview-Private-Key-Disclosure-CVE-2017-7455 Potential Disclosure

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Car-Rental-System-1.0-File-Upload-RCE-CVE-2024-57487 CVE-2024-57487 HTTP_CRL-Car-Rental-System-1.0-File-Upload-RCE-CVE-2024-57487 Suspected Compromise
High Gladinet-CentreStack-MachineKey-Hard-Coded-Credentials-CVE-2025-30406 CVE-2025-30406 HTTP_CRL-Gladinet-CentreStack-MachineKey-Hard-Coded-Credentials-CVE-2025-30406 Suspected Compromise

SIP UDP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Kamailio-SIP-To-Header-Out-Of-Bounds-Read-CVE-2018-14767 CVE-2018-14767 SIP-UDP_CS-Kamailio-SIP-To-Header-Out-Of-Bounds-Read-CVE-2018-14767 Potential Compromise

Updated detected attacks:

HTTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Cyberpanel-submitWebsiteCreation-Command-Injection-CVE-2024-53376 CVE-2024-53376 HTTP_CS-Cyberpanel-submitWebsiteCreation-Command-Injection-CVE-2024-53376 Suspected Compromise
Description has changed

File Name

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High VBScript-File-Transfer No CVE/CAN File-Name_VBScript-File-Transfer Suspected Botnet
Category tag situation Suspected Botnet added
Category tag situation Potential Botnet removed

HTTP Request URI

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High HTTP-Php-Error-Logging-Format-Strigs-Vulnerability CVE-2000-0967 HTTP_CSU-Php-Error-Loggin-Format-String-Exploit Suspected Compromise
Name: HTTP_CSU-Php-Error-Loggin-Format-Strigs-Vuln-Strengur->HTTP_CSU-Php-Error-Loggin-Format-String-Exploit
Fingerprint regexp changed
Low HTTP-Php-Cgi-BOF CVE-1999-0058 HTTP_CSU-Php.cgi-Access Potential Disclosure
Description has changed
High Microsoft-Windows-Insecure-Library-Loading CVE-2011-1991 HTTP_CSU-Microsoft-Windows-Insecure-Library-Loading Suspected Compromise
Detection mechanism updated
High NetObserve-Authentication-Bypass No CVE/CAN HTTP_CSU-NetObserve-Authentication-Bypass Potential Compromise
Fingerprint regexp changed
High HP-Intelligent-Management-Center-Reporting-Information-Disclosure No CVE/CAN HTTP_CSU-Path-Traversal-Sequence-In-File-Name Suspected Compromise
Description has changed
Category tag group CVE2025 added
Low Oracle-HTTP-Server-Mod-Access-Restriction-Bypass CVE-2005-1383 HTTP_CSU-Oracle-Potential-Vulnerability-Probe-Request Potential Probe
Detection mechanism updated
High JasperSoft-JasperReports-Server-Information-Disclosure-CVE-2018-5430 CVE-2018-5430 HTTP_CSU-JasperSoft-JasperReports-Server-Information-Disclosure-CVE-2018-5430 Suspected Compromise
Fingerprint regexp changed
High HTTP_System-File-Access No CVE/CAN HTTP_CSU-Suspected-System-File-Disclosure Suspected Disclosure
Fingerprint regexp changed
High Craft-CMS-Remote-Code-Execution-CVE-2024-56145 CVE-2024-56145 HTTP_CSU-Craft-CMS-Remote-Code-Execution-CVE-2024-56145 Suspected Compromise
Fingerprint regexp changed
High Gogs-GetDiffPreview-Argument-Injection-CVE-2024-39932 CVE-2024-39932 HTTP_CSU-Gogs-GetDiffPreview-Argument-Injection-CVE-2024-39932 Suspected Compromise
Description has changed
High Sojourn-File-Disclosure CVE-2000-0180 HTTP_CSU-Dot-Dot-Slash-And-Null-Byte-Sequence Attack Related Anomalies
Detection mechanism updated
High HTTP-Ipswitch-WhatsUp-Web-Interface-SQL-Injection CVE-2005-1250 HTTP_CSU-Ipswitch-WhatsUp-Professional-SQL-Injection Potential Compromise
Fingerprint regexp changed
High HTTP-Php-Function-Header-Injection CVE-2002-1783 HTTP_CSU-Php-Function-Header-Injection Potential Compromise
Comment has changed
Fingerprint regexp changed
High Php-Suspicious-Include-Parameter No CVE/CAN HTTP_CSU-Php-Suspicious-Parameter-Containing-External-URI Potential Compromise
Name: HTTP_CSU-Php-Suspicious-Include-Parameter->HTTP_CSU-Php-Suspicious-Parameter-Containing-External-URI
Comment has changed
Description has changed
Fingerprint regexp changed

HTTP Request Header Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Wordpress-SureTriggers-Auth-Bypass-And-RCE-CVE-2025-3102 CVE-2025-3102 HTTP_CSH-Wordpress-SureTriggers-Auth-Bypass-And-RCE-CVE-2025-3102 Suspected Compromise
Description has changed

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Wordpress-Plugin-Like-Button-Authentication-Bypass-CVE-2019-13344 CVE-2019-13344 HTTP_CRL-Wordpress-Plugin-Like-Button-Authentication-Bypass-CVE-2019-13344 Suspected Compromise
Description has changed
High Pandora-FMS-chromium_path-Or-phantomjs_bin-RCE-CVE-2024-12971 CVE-2024-12971 HTTP_CRL-Pandora-FMS-chromium_path-Or-phantomjs_bin-RCE-CVE-2024-12971 Suspected Compromise
Description has changed
High Pgadmin-Query-Tool-Authenticated-RCE-CVE-2025-2945 CVE-2025-2945 HTTP_CRL-Pgadmin-Query-Tool-Authenticated-RCE-CVE-2025-2945 Suspected Compromise
Description has changed
High Langflow-AI-RCE-CVE-2025-3248 CVE-2025-3248 HTTP_CRL-Langflow-AI-RCE-CVE-2025-3248 Suspected Compromise
Description has changed
High Openemr-Bronchitis-Form-Stored-Cross-Site-Scripting-CVE-2025-30161 CVE-2025-30161 HTTP_CRL-Openemr-Bronchitis-Form-Stored-Cross-Site-Scripting-CVE-2025-30161 Suspected Compromise
Description has changed
High Webmin-Cgi-xhr-get_autocompletes-Handling-Command-Injection-CVE-2024-12828 CVE-2024-12828 HTTP_CRL-Webmin-Cgi-xhr-get_autocompletes-Handling-Command-Injection-CVE-2024-12828 Suspected Compromise
Description has changed

Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High BentoML-RCE-CVE-2025-27520 CVE-2025-27520 File-Text_BentoML-RCE-CVE-2025-27520 Suspected Compromise
Description has changed
High BentoML-Runner-Server-RCE-CVE-2025-32375 CVE-2025-32375 File-Text_BentoML-Runner-Server-RCE-CVE-2025-32375 Suspected Compromise
Description has changed
High GLPI-Project-GLPI-Inventory-handleAgent-SQL-Injection-CVE-2025-24799 CVE-2025-24799 File-Text_GLPI-Project-GLPI-Inventory-handleAgent-SQL-Injection-CVE-2025-24799 Suspected Compromise
Description has changed

Other Binary File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Gnu-Tar-From_Header-Out-Of-Bounds-Read CVE-2022-48303 File-Binary_Gnu-Tar-From_Header-Out-Of-Bounds-Read Suspected Disclosure
Comment has changed
High VMware-Vcenter-Server-Remote-Code-Execution-CVE-2021-21972 CVE-2021-21972 File-Binary_Suspicious-Long-Name-In-Gnu-Tar-Archive Suspected Compromise
Detection mechanism updated
High Winace-Rar-And-Tar-Directory-Traversal-Vulnerability CVE-2006-0981 File-Binary_Path-Traversal-Via-Tar-Archive Suspected Compromise
Detection mechanism updated
High Pear-Archive-Tar-Symbolic-Link-Handling-Arbitrary-File-Overwrite CVE-2020-36193 File-Binary_Suspicious-Link-Name-In-Tar-Archive Suspected Compromise
Detection mechanism updated
High Pear-Archive-Tar-Phar-Protocol-Handling-Deserialization-Code-Execution CVE-2020-28948 File-Binary_Suspicious-File-Name-In-Tar-Archive Suspected Compromise
Detection mechanism updated

Identified Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High GLPI-Project-GLPI-Inventory-handleAgent-SQL-Injection-CVE-2025-24799 CVE-2025-24799 File-TextId_GLPI-Project-GLPI-Inventory-handleAgent-SQL-Injection-CVE-2025-24799 Suspected Compromise
Description has changed

Archive type identification from member names

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High VBScript-File-Transfer No CVE/CAN File-Member-Name_VBScript-File-Transfer Suspected Botnet
Category tag situation Suspected Botnet added
Category tag situation Potential Botnet removed

LIST OF OTHER CHANGES:

New objects:

Type Name
Category Gladinet CentreStack
Category Samsung MagicINFO
Category Online Car Rental System
Category Kamailio
Category Spring Data REST

Updated objects:

Type Name Changes
Situation HTTP_CSU-Php.cgi-Possible-File-Disclosure
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application PHP removed
Category tag group CVE1999 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Potential Disclosure removed
Category tag group TCP Client Traffic removed
Fingerprint regexp changed
Situation HTTP_CSU-Microsoft-Windows-Wab32res.dll-Insecure-Library-Loading
Fingerprint regexp changed
Situation HTTP_CSU-InterScan-VirusWall-Directory-Traversal
Fingerprint regexp changed
Situation HTTP_CSU-Novell-eDirectory-DOS-Device-Name-Denial-Of-Service
Fingerprint regexp changed
Situation HTTP_CSU-Shared-Variables
Situation HTTP_CSU-SHOUTcast-Request-Format-String-System-Compromise
Fingerprint regexp changed
Situation HTTP_CSU-Long-HTTP-Request-URI
Fingerprint regexp changed
Situation HTTP_CSU-IIS-Isapi-Filter-DoS
Fingerprint regexp changed
Situation HTTP_CSU-Apple-Software-Update-Catalog-Filename-Format-String
Fingerprint regexp changed
Situation HTTP_CSU-Php-Suspicious-Root-Parameter
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application PHP removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-Php-Suspicious-Go-Parameter
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application PHP removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-Php-Suspicious-Site-Parameter
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application PHP removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-Php-Suspicious-Basedir-Parameter
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application PHP removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-Php-Suspicious-Absolute-Path-Parameter
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application PHP removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-Dot-Dot-Slash-Directory-Traversal
Fingerprint regexp changed
Situation HTTP_CSU-NetRisk-Remote-File-Inclusion
Fingerprint regexp changed
Situation HTTP_CSU-Php-Suspicious-Document-Root-Parameter
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application PHP removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-Php-Suspicious-External-Parameter-Reference
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application PHP removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-Server-Side-Scripting-Suspicious-External-Parameter-Reference
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application PHP removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Possibly Unwanted Content removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-Server-Side-Scripting-Suspicious-External-Text-File-Reference
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application PHP removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Potential Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group HTTP URI Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Fingerprint regexp changed
Situation HTTP_CSU-Php-Injection-Attack
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application PHP removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Fingerprint regexp changed
Situation HTTP_CSU-URI-Directory-Traversal
Fingerprint regexp changed
Situation HTTP_CSU-NetGear-SSL312-Cgi-DoS
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application NetGear SSL312 removed
Category tag group CVE2009 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Potential Denial of Service removed
Category tag group TCP Client Traffic removed
Fingerprint regexp changed
Application NordVPN
Situation File_Malware-MD5
Detection mechanism updated
Situation File_Blocked-Known-Bad-SHA1-2
Detection mechanism updated
IPList Okta IP Address List
IPList NordVPN Servers IP Address List
IPList Forcepoint Drop IP Address List
IPList WeChat IP Address List

DISCLAIMER AND COPYRIGHT

Copyright © 2025 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.